| Name | CVE-2020-1712 |
| Description | A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3063-1 |
| Debian Bugs | 950732 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| systemd (PTS) | jessie, jessie (lts) | 215-17+deb8u15 | fixed |
| stretch (security) | 232-25+deb9u14 | fixed | |
| stretch (lts), stretch | 232-25+deb9u17 | fixed | |
| buster, buster (lts) | 241-7~deb10u11 | fixed | |
| buster (security) | 241-7~deb10u10 | fixed | |
| bullseye | 247.3-7+deb11u5 | fixed | |
| bullseye (security) | 247.3-7+deb11u6 | fixed | |
| bookworm | 252.31-1~deb12u1 | fixed | |
| sid, trixie | 257~rc2-3 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| systemd | source | wheezy | (unfixed) | end-of-life | ||
| systemd | source | jessie | (not affected) | |||
| systemd | source | stretch | 232-25+deb9u14 | DLA-3063-1 | ||
| systemd | source | buster | 241-7~deb10u4 | |||
| systemd | source | (unstable) | 244.2-1 | 950732 |
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e (preparation)
https://github.com/systemd/systemd/commit/95f82ae9d774f3508ce89dcbdd0714ef7385df59 (preparation)
https://github.com/systemd/systemd/commit/7f56982289275ce84e20f0554475864953e6aaab (preparation)
https://github.com/systemd/systemd/commit/f4425c72c7395ec93ae00052916a66e2f60f200b (preparation)
https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54 (introduce new API)
https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb (use new function to fix CVE-2020-1712)
https://github.com/systemd/systemd/commit/5c1163273569809742c164260cfd9f096520cb82 (documentation)
https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d (documentation)
Introduced by https://github.com/systemd/systemd/commit/70244d1d25eb80b57e160ea004d0e6bf793d4caf (v220)
https://bugzilla.redhat.com/show_bug.cgi?id=1794578
https://bugs.chromium.org/p/project-zero/issues/detail?id=1971
https://www.openwall.com/lists/oss-security/2020/02/05/1